Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:118639 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 81172 invoked from network); 15 Sep 2022 08:14:48 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 15 Sep 2022 08:14:48 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id C54ED1804BA for ; Thu, 15 Sep 2022 01:14:47 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE, RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.2 X-Spam-ASN: AS15169 209.85.128.0/17 X-Spam-Virus: No X-Envelope-From: Received: from mail-ed1-f48.google.com (mail-ed1-f48.google.com [209.85.208.48]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Thu, 15 Sep 2022 01:14:47 -0700 (PDT) Received: by mail-ed1-f48.google.com with SMTP id y8so18846016edc.10 for ; Thu, 15 Sep 2022 01:14:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:from:to:cc:subject:date; bh=uzYEx6ynJX8kS4Nnu7jt2BNxLYbnoFcnO4bGecEpZXo=; b=TEzonKHDORuLITMevrXQk6fjuBM15tua9nmvjGeqho+UwfwfxtIDpJnGg2QwR8ov9l p2eeIpfDJVZ36K/7VxUJFNtn6WhrnJMNN7ASsebF18otXu8xCrChi6wRoHvCSIbwcPRA Sk+TFap3manXePmPISC/naiO5umBL7+CUK9dzvUsoId5RznnxkACRTZvn+zBE/VQUzDC vy/9rPEHGGbSmhB0zXERmC9URbGrD8E3+H5IOkyOxQyGdwSR6bvMNp/1ruiG5EDJM7n6 fPn9ZigsW2QI8xuxuVTx9LZMKYAqTDyYlbIkZYVICf6DjSPMSvur89dMbTKgo5rYodQJ mKCg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:x-gm-message-state:from:to:cc:subject:date; bh=uzYEx6ynJX8kS4Nnu7jt2BNxLYbnoFcnO4bGecEpZXo=; b=QmoOrAa4LJ2WcDFKB889v/PzteeorlyuVUosdFgM+87wX/3fTTChFplt2H2hT80EQx A9f2Ut49Xuw1mnvjoKpA0hDLMaLb31opg1yDuoQEJ1hnK+LunGsd95iooE9K0NVqyL03 ilJ1boqiVc03ujuhn8839LaggNHLpzvIEbya8Eaf9z3q7OXlBJAzOKM0NPoG9IBy5ZM4 Y4U9wOt2tExk6IDmSGuf1GK18nJSrZDEvahe4CeU1nL0jIKl7oTKYL2tpnehToBijgID Lfx8+pNdAP4yVX5QVRiXbfy1nf5LSZgraSNXIj0xfF0jK52y7y8EDY68tS9PasHmicvM lPzw== X-Gm-Message-State: ACgBeo3mHXX3poLXUzzn3bkjwjeOyGSSyfjXXemKpr5eXPqcnrMagQwc r6vGH94EiaStGaghp8SXaPY= X-Google-Smtp-Source: AA6agR42g94BrmC6NofJ3+Fp/HOuTO/fDReLAF0AUL5O+6zDmYbUXWhAy0eo3OU43GEQ/5io0Oi2xQ== X-Received: by 2002:a05:6402:a43:b0:44e:cf0a:5e82 with SMTP id bt3-20020a0564020a4300b0044ecf0a5e82mr32585604edb.118.1663229685969; Thu, 15 Sep 2022 01:14:45 -0700 (PDT) Received: from smtpclient.apple ([89.249.45.14]) by smtp.gmail.com with ESMTPSA id ky21-20020a170907779500b0077453b9dbf1sm8756515ejc.188.2022.09.15.01.14.44 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 15 Sep 2022 01:14:45 -0700 (PDT) Message-ID: <31FFE1D2-8DF3-4DC9-AC25-4B1E5132B99B@gmail.com> Content-Type: multipart/alternative; boundary="Apple-Mail=_CD275EE0-5A2A-48CC-B9E4-41F6F5841539" Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\)) Date: Thu, 15 Sep 2022 10:14:44 +0200 In-Reply-To: <8479bc9a-6ed6-0cf1-c727-123e2b87a8d6@dafert.at> Cc: internals@lists.php.net To: Mel Dafert References: <8479bc9a-6ed6-0cf1-c727-123e2b87a8d6@dafert.at> X-Mailer: Apple Mail (2.3696.120.41.1.1) Subject: Re: [PHP-DEV] Error behaviour for max_input_vars From: claude.pache@gmail.com (Claude Pache) --Apple-Mail=_CD275EE0-5A2A-48CC-B9E4-41F6F5841539 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 > Le 13 sept. 2022 =C3=A0 19:58, Mel Dafert a =C3=A9crit = : >=20 > In summary, I believe this can only be solved inside of PHP itself, by = allowing to configure a way for `max_input_vars` to abort the request = instead of truncating the input. > The options I see feasible are: > - A new ini setting `max_input_vars_abort` (default to 0), which, if = set to 1, will abort the request if there are more input variables than = allowed. > - A method to reliably detect whether the input vars were truncated = (eg. `function has_post_been_truncated(): bool`), so the application can = decide whether to abort or not. > - Deciding that `max_input_vars` is not relevant anymore and should be = handled by the likes of Apache and NGINX, thus changing the default to = `0` and removing the setting > over a deprecation period. >=20 > I am leaning towards the first option, but would be open to either = outcome. Hi, A big issue with `max_input_vars` (and indeed any fallible procedure = executed at startup) is that errors occur before that the program has a = chance to install a custom error/exception handler or to open a = try/catch block. For the specific case of $_POST, a possible option would be: * set the ini setting `enable_post_data_reading` to false, so that = $_POST and $_FILES are not populated at startup; * have a function that to enable to populate those variables at runtime: ```php try { read_post_data([ 'max_input_vars' =3D> 100_000 ]); } catch (\TooManyInputVarsException) { // custom panic procedure } ``` A more general solution would be to be able to retrieve all errors (not = just the last) that has been triggered at startup, e.g.: ```php set_error_handler('app_specific_error_handler'); replay_error_triggered_at_startup(); // will re-trigger all errors that = has occurred before the first line of code ``` =E2=80=94Claude --Apple-Mail=_CD275EE0-5A2A-48CC-B9E4-41F6F5841539--